Security update for zypper, libzypp and libsolv (moderate)

An update that solves three vulnerabilities and has 41
fixes is now available.

Description:

This update for libzypp and libsolv fixes the following issues:

Security issues fixed:

• CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c
  (function testcase_read) (bsc#1120629).
• CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c
  (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630).
• CVE-2018-20534: Fixed illegal address access at src/pool.h (function
  pool_whatprovides) in libsolv.a (bsc#1120631).

Fixed bugs and enhancements:

• make cleandeps jobs on patterns work (bnc#1137977)
• Fixed an issue where libsolv failed to build against swig 4.0 by
  updating the version to 0.7.5 (bsc#1135749).
• Virtualization host upgrade from SLES-15 to SLES-15-SP1 finished with
  wrong product name shown up (bsc#1131823).
• Copy pattern categories from the rpm that defines the pattern
  (fate#323785).
• Enhance scanning /sys for modaliases (bsc#1130161).
• Prevent SEGV if the application sets an empty TextLocale (bsc#1127026).
• Handle libgpgme error when gpg key is not completely read and user hits
  CTRL + C (bsc#1127220).
• Added a hint when registration codes have expired (bsc#965786).
• Adds a better handling of an error when verifying any repository medium
  (bsc#1065022).
• Will now only write type field when probing (bsc#1114908).
• Fixes an issue where zypper has showed the info message ‘Installation
  aborted by user’ while the installation was aborted by wicked
  (bsc#978193).
• Suppresses reporting /memfd: pseudo files (bsc#1123843).
• Fixes an issue where zypper was not able to install or uninstall
  packages when rpm is unavailable (bsc#1122471).
• Fixes an issue where locks were ignored (bsc#1113296).
• Simplify complex locks so zypper can display them (bsc#1112911).
• zypper will now set SYSTEMD_OFFLINE=1 during chrooted commits
  (bsc#1118758).
• no-recommends: Nevertheless consider resolver namespaces (hardware,
  language,…supporting packages) (fate#325513).
• Removes world-readable bit from /var/log/zypp (bsc#1099019).
• Does no longer fail service-refresh on a empty repoindex.xml
  (bsc#1116840).
• Fixes soname due to libsolv ABI changes (bsc#1115341).
• Add infrastructure to flag specific packages to trigger a reboot needed
  hint (fate#326451).

This update for zypper 1.14.27 fixes the following issues:

• bash-completion: add package completion for addlock (bsc#1047962)

• bash-completion: fix incorrect detection of command names (bsc#1049826)

• Offer to change the ‘runSearchPackages’ config option at the prompt
  (bsc#1119373, FATE#325599)

• Prompt: provide a ‘yes/no/always/never’ prompt.

• Prompt: support “#NUM” as answer to select the NUMth option…

• Augeas: enable writing back changed option values (to ~/.zypper.conf)

• removelocale: fix segfault

• Move needs-restarting command to subpackage (fixes #254)

• Allow empty string as argument (bsc#1125415)

• Provide a way to delete cache for volatile repositories (bsc#1053177)

• Adapt to boost-1.69 requiring explicit casts tribool->bool (fixes #255)

• Show support status in info if not unknown (bsc#764147)

• Fix installing plain rpm files with zypper in (bsc#1124897)

• Show only required info in the summary in quiet mode (bsc#993025)

• Stay with legacy behavior and return ZYPPER_EXIT_INF_REBOOT_NEEDED
  only for patches. We don’t extend this return code to packages, although
  they may also carry the ‘reboot-needed’ attribute. The preferred way to
  test whether the system needs to be rebooted is zypper needs-rebooting. (openSUSE/zypper#237)

• Skip repository on error (bsc#1123967)

• New commands for locale management: locales addlocale removelocale
  Inspect and manipulate the systems requested locales, aka. the
  languages software packages should try support by installing
  translations, dictionaries and tools, as far as they are available.

• Don’t throw, just warn if options are repeated (bsc#1123865)

• Fix detection whether stdout is a tty (happened too late)

• Fix broken --plus-content switch (fixes bsc#1123681)

• Fix broken --replacefiles switch (fixes bsc#1123137)

• Extend zypper source-install (fixes bsc#663358)

• Fix inconsistent results for search (bsc#1119873)

• Show reboot hint in zypper ps and summary (fixes bsc#1120263)

• Improve handling of partially locked packages (bsc#1113296)

• Fix wrong default values in help text (bsc#1121611)

• Fixed broken argument parsing for --reposd-dir (bsc#1122062)

• Fix wrong zypp::indeterminate use (bsc#1120463)

• CLI parser: fix broken initialization enforcing ‘select by name’
  (bsc#1119820)

• zypper.conf: [commit] autoAgreeWithLicenses {=false} (fixes #220)

• locks: Fix printing of versioned locks (bsc#1112911)

• locks: create and write versioned locks correctly (bsc#1112911)

• patch: --with update may implicitly assume --with-optional (bsc#1102261)

• no-recommends: Nevertheless consider resolver namespaces (hardware,
  language,…supporting packages) (FATE#325513)

• Optionally run “zypper search-packages” after “search” (FATE#325599)

• zypper.conf: Add [search]runSearchPackages config variable.

• Don’t iterate twice on --no-cd (bsc#1111319)

• zypper-log: Make it Python 3 compatible

• man: mention /etc/zypp/needreboot config file (fate#326451, fixes #140)

• Add needs-restarting shell script and manpage (fate#326451)

• Add zypper needs-rebooting command (fate#326451)

• Introduce new zypper command framefork. Migrated commands so far:
  addlock addrepo addservice clean cleanlocks modifyrepo modifyservice ps
  refresh refresh-services removelock removerepo removeservice renamerepo
  repos services

• MediaChangeReport: fix https URLs causing 2 prompts on error
  (bsc#1110542)

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.0:

  zypper in -t patch openSUSE-2019-1927=1